A method for tracking and tracing sensitive network behavior
By constructing a cross-modal semantic graph and intent classification model, the problem of inaccurate semantic parsing and source tracing of multi-source heterogeneous data is solved, enabling accurate tracking and source tracing of sensitive network behaviors, and providing a logically rigorous source tracing chain and intuitive reports.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING FULE TECH CO LTD
- Filing Date
- 2026-03-21
- Publication Date
- 2026-06-26
AI Technical Summary
Existing technologies struggle to provide comprehensive coverage and lack deep semantic analysis capabilities when processing multi-source heterogeneous data, resulting in inaccurate tracking and tracing of sensitive network behaviors and an inability to provide convincing evidence for attribution.
By collecting and preprocessing multi-source heterogeneous data, a cross-modal semantic graph is constructed. A large language model is used for semantic parsing and feature extraction. An intent classification model is trained to locate intent trigger points and build a tracing chain, ultimately generating a standardized report.
It enables precise tracking and efficient tracing of sensitive network behaviors, improves the comprehensiveness and accuracy of identification, provides a logically rigorous tracing chain and intuitive tracing results, and supports interactive operation and report export.
Smart Images

Figure CN122287633A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, specifically to a method for tracking and tracing sensitive network behaviors. Background Technology
[0002] With the rapid development of network technology, network architecture is becoming increasingly complex, and various devices and systems are widely interconnected, generating data from diverse sources and in various formats. This data includes multiple dimensions such as network transmission, device operation, and user operations, forming a complex multi-source heterogeneous data system. At the same time, sensitive behaviors in cyberspace occur frequently, including unauthorized access, data theft, and abuse of privileges. These behaviors not only threaten data security and privacy protection but may also disrupt the stable operation of network systems, causing serious damage to individuals, enterprises, and even public interests. Therefore, tracking and tracing sensitive network behaviors has become a key requirement in the field of cybersecurity. It is necessary to integrate multi-source data through effective technical means, analyze behavioral semantics, clarify intent relationships, and accurately locate the source and propagation path of behaviors to provide strong support for network security protection.
[0003] Traditional sensitive network behavior tracking and tracing technologies have significant limitations when dealing with complex network environments. At the data processing level, traditional methods often struggle to comprehensively cover multi-source heterogeneous data, lacking effective integration and adaptation mechanisms for data of different formats and types, which can easily lead to data omissions or inefficient processing, and fail to fully uncover the underlying correlations in the data. In terms of semantic parsing and graph construction, traditional technologies lack deep semantic analysis capabilities, making it difficult to achieve effective alignment and correlation quantification of cross-modal data. The constructed graphs often have loose node connections and ambiguous hierarchical divisions, failing to accurately reflect the intrinsic connections between behavior, data, and devices. In terms of intent recognition and tracing reasoning, traditional methods often rely on single features or simple rules for judgment, lacking the ability to accurately classify behavioral intent, and failing to fully consider multi-dimensional factors in causal relationship analysis, resulting in inaccurate location of intent trigger points, incomplete tracing chains, and weak logic, making it difficult to provide convincing tracing evidence. Summary of the Invention
[0004] The purpose of this invention is to overcome the shortcomings of existing technologies and provide a method for tracking and tracing sensitive network behaviors. This method involves collecting and preprocessing multi-source heterogeneous data to construct a cross-modal semantic graph; using a large language model for semantic parsing and feature extraction to train an intent classification model to predict the intent of sensitive behaviors; locating intent trigger points and constructing a complete tracing chain through an intent trigger point causal contribution algorithm; and finally generating a standardized report containing behavior details, intent analysis, and tracing evidence chain, which is presented through visualization tools. This method achieves accurate tracking and efficient tracing of sensitive network behaviors.
[0005] To solve the above-mentioned technical problems, the present invention provides the following technical solution: a method for tracking and tracing the source of sensitive network behaviors, the specific steps of which are as follows: S1, Multi-source data acquisition and preprocessing: Collect multi-source heterogeneous data in the network environment, and store the collected data in a distributed database after standardization, encapsulation, verification, deduplication and desensitization. S2, Cross-modal semantic graph construction: The preprocessed multi-source heterogeneous data is input into a large language model for semantic parsing and feature extraction. The node association weights are calculated through a cross-modal semantic fusion weight algorithm to construct a cross-modal behavioral semantic graph. S3, Sensitive Behavior Intent Classification: Train the intent classification pre-trained model, predict the intent type of behavior nodes in the semantic graph, filter sensitive behavior nodes with confidence scores higher than a preset threshold, and form a sensitive behavior-intent association set; S4, Causal Chain Reasoning and Source Tracing: Input the sensitive behavior-intent association set into the behavior causal chain reasoning engine, quantify the causal contribution of nodes and locate the intent trigger point through the intention trigger point causal contribution algorithm, and build a complete source tracing chain; S5, Visualization of Source Tracing Results: Integrates semantic graphs, intent classification results, causal chains, and intent trigger points to generate standardized source tracing reports that include behavioral details, intent analysis conclusions, and source tracing evidence chains. The source tracing results are presented through visualization tools, supporting interactive operations and report export.
[0006] Furthermore, in S1, the multi-source data acquisition preprocessing involves acquiring multi-source heterogeneous data from the network environment. This multi-source heterogeneous data originates from various devices and systems within the network environment, including network traffic characteristics, operation log text, API call sequences, terminal device operating status data, user operation behavior records, network session connection information, and file transfer logs generated by core servers, network switches, terminal devices, and application systems.
[0007] Furthermore, in S2, the construction of the cross-modal semantic graph, the large language model adopts a layered structure design based on the Transformer architecture, including an input layer encoding module, a semantic parsing module, a feature extraction module, and a cross-modal adaptation module. The input layer encoding module encodes the preprocessed multi-source heterogeneous data in a unified format to achieve input adaptation for different types of data. The semantic parsing module performs contextual semantic association analysis through a multi-layer Transformer encoder to complete the behavioral entity recognition, behavioral relationship extraction, and preliminary semantic intent determination. The feature extraction module performs key feature selection and enhancement on the parsed semantic information based on an attention mechanism, outputting a fixed-dimensional semantic feature vector. The cross-modal adaptation module performs semantic alignment processing for the modal differences of multi-source data.
[0008] Furthermore, in S2, the formula for the cross-modal semantic fusion weight algorithm in cross-modal semantic fusion is: ;in, For nodes in cross-modal behavior semantic graph With nodes The association weight; Encoding nodes for large language models and semantic similarity; For nodes and The normalized value of the co-occurrence frequency of the corresponding behavior; This is the time decay factor; ; The attenuation coefficient is... They are nodes The time when the corresponding behavior occurred; These are the modal fit coefficients; Let be the weight coefficient, and satisfy... .
[0009] Furthermore, in S2, the process of constructing a cross-modal semantic graph in cross-modal semantic graph construction is as follows: Based on the semantic parsing results and extracted feature information of preprocessed multi-source heterogeneous data, the definition and division of graph nodes are first completed, clarifying that the node types cover network layer nodes, device layer nodes, behavior layer nodes, and data layer nodes; network layer nodes correspond to network addresses, ports, and network protocols; device layer nodes correspond to terminal devices, servers, and IoT devices; behavior layer nodes correspond to operation behaviors, access behaviors, and data transmission behaviors; data layer nodes correspond to log data, configuration data, audit data, image data, and video data, where image data includes screenshots of cloud desktop operations, device monitoring, and user interface operations, and video data includes videos of cloud desktop operations, security monitoring, and terminal device operating status; each node is associated with semantic feature vectors, behavioral attributes, timestamps, and modal type attribute information, and image nodes are additionally associated with visual feature vectors. The visual feature vector includes texture, contour, and operation area features. Video nodes are additionally associated with frame sequence feature vectors, frame extraction results, and timeline information. Based on the association weights calculated by the cross-modal semantic fusion weight algorithm, association edges are established between nodes within each layer. These association edges include intramodal and cross-modal associations between images, videos, and text, and between videos and text. Simultaneously, cross-layer association edges are constructed between nodes. These cross-layer association edges include subordinate associations between video data nodes and terminal device nodes, causal associations between cloud desktop operation screenshot nodes and user operation behavior nodes, and interactive associations between video frame feature nodes and network traffic nodes. The association edges are labeled with corresponding weight values and association types, including causal associations, subordinate associations, and interactive associations. Consistency checks are performed on nodes and association edges at each layer to verify the rationality of associations between visual and non-visual modal nodes, eliminating invalid associations, false associations, and redundant nodes to ensure that the association logic of multimodal data in the graph is rigorous and the feature alignment is accurate.
[0010] Furthermore, in S3, the specific process of training the intent classification pre-training model in the sensitive behavior intent classification is as follows: BERT-base is selected as the basic pre-training model. Behavior records from preprocessed multi-source heterogeneous data, semantic graph behavior layer node information, and public network security behavior datasets are used as training data sources. The training set, validation set, and test set are divided in an 8:1:1 ratio. The training set comprises 80% of the samples and is used for iterative updating of model parameters, allowing the model to learn the mapping relationship between behavioral features and intent categories. The validation set comprises 10% of the samples and is used to monitor the model's generalization ability during training, assist in adjusting hyperparameters, and trigger early stopping strategies. The test set comprises 10% of the independent samples, which are not involved in model training and parameter tuning, and are used for final evaluation of model performance. The labeled intent categories include illegal access, data theft, permission abuse, malicious code execution, and violation of data rules. Based on the transmitted sensitive intent and normal operational intent, a labeled training sample set is formed. During training, the 76-dimensional contextual semantic features of the behavior nodes, the weights of associated nodes, and the behavior attribute information are concatenated as model input. The AdamW optimizer is used, with a learning rate of 2e-5 and a batch size of 32. The cross-entropy loss function is used as the optimization objective. An early stopping strategy is introduced during training: training is stopped when the validation set loss does not decrease for 5 consecutive epochs to avoid model overfitting. After training, accuracy, recall, and F1 score are used as evaluation metrics to verify the model performance. If the metrics do not meet the preset standards (accuracy ≥ 0.9, F1 score ≥ 0.85), the model structure is optimized by adjusting the learning rate, increasing the amount of sample data, or introducing an attention mechanism, and retraining is performed until the model performance meets the standards. Finally, a pre-trained intent classification model with stable sensitive behavior intent prediction capabilities is obtained.
[0011] Furthermore, in S3, the process of predicting the intent type of behavior nodes in the semantic graph and filtering sensitive behavior nodes with a confidence level higher than a preset threshold in the sensitive behavior intent classification is as follows: First, extract the semantic features, behavioral attributes, and associated node information corresponding to each behavior node in the semantic graph, input them into the trained intent classification pre-trained model, determine the intent type of each behavior node, and output the corresponding confidence level. The determined intent types include illegal access, data theft, permission abuse, malicious code execution, illegal data transmission, and normal operation. The preset confidence level threshold is set to 0.85, and the model... The confidence scores of the output behavioral nodes are compared with the threshold. Nodes with a confidence score greater than or equal to 0.85 and whose intent types are illegal access, data theft, permission abuse, malicious code execution, or unauthorized data transmission are selected as sensitive behavioral nodes. The selected sensitive behavioral nodes are verified to ensure that the semantic features and behavioral attributes of the nodes match the determined sensitive intent types. The sensitive behavioral nodes are then associated and bound with the corresponding intent types. The graph location of each sensitive behavioral node, the identifier of the associated node, and the timestamp of the behavior occurrence are recorded, ultimately forming a structured sensitive behavior-intent association set.
[0012] Furthermore, in S4, the formula for the intention trigger point causal contribution algorithm in causal chain reasoning tracing is: in, Represents a node Causal contribution to the triggering of sensitive intentions; These are the intent relevance weight, time sequence weight, and association propagation weight, respectively; satisfying... The values are all within the range of 0.2 to 0.5, and can be dynamically adjusted according to the actual traceability scenario; For nodes The semantic relevance to the target-sensitive intent I is calculated using the cosine similarity between the node feature vector and the intent feature vector, i.e. ,in For nodes semantic feature vectors, The standard feature vector of sensitive intent I; For nodes The time-series weights are calculated using a time-series decay function, i.e. ,in For sensitive intent trigger time, For nodes The corresponding time of the behavior, k is the attenuation coefficient, and its value ranges from 0.01 to 0.1; For nodes The set of directly adjacent nodes in a semantic graph For nodes With neighboring nodes The association weights are derived from a cross-modal semantic fusion weighting algorithm; For adjacent node pairs Causal contribution transit terms, Representative node The causal contribution of sensitive intent triggers reflects the causal relationship transmission effect between nodes, and is calculated iteratively for all nodes. When the iteration error is less than The calculation is stopped at this point, and the causal contribution is calculated. The largest node is determined as the intent trigger point; if multiple nodes exist... If the difference is less than 0.05, the node that first exhibits the behavior is determined as the intent trigger point, based on the sequence of node behaviors.
[0013] Furthermore, in S4, the specific process of constructing a complete tracing chain in causal chain reasoning is as follows: taking the located intent trigger point as the core, extracting the graph-level information related nodes and behavior occurrence timestamps corresponding to the trigger point, and sorting out the network layer, device layer, behavior layer, and data layer nodes that are directly related to the trigger point; setting a causal contribution degree screening standard, selecting nodes with a causal contribution degree greater than or equal to 0.3 and behavior occurrence timestamps earlier than the trigger point as pre-inducing nodes, and selecting nodes with a causal contribution degree greater than or equal to 0.2 and behavior occurrence timestamps later than the trigger point as subsequent influencing nodes; connecting the pre-inducing nodes, intent trigger points, and subsequent influencing nodes in the order of behavior occurrence timestamps, and labeling each connected node with the corresponding intent type, causal contribution degree, and association type, including causal association, subordinate association, and interactive association; performing integrity verification on the chain structure formed by the connection, supplementing the missing key node association information, and eliminating redundant nodes without actual association; integrating the verified node connection relationship and each node information to form a complete tracing chain containing node level, node identifier, behavior time sequence, and causal relationship.
[0014] Compared with existing technologies, this method for tracking and tracing sensitive network behaviors has the following advantages: I. This invention achieves comprehensive integration and in-depth analysis of various heterogeneous data in the network environment by combining multi-source data acquisition and preprocessing with cross-modal semantic graph construction. It performs semantic analysis and feature extraction based on a large language model, establishes close connections between nodes at each level through scientific association weight calculation, and completes semantic alignment of data from different sources and formats, allowing scattered data to form an organic whole. In the sensitive behavior intent classification step, through systematic model training and rigorous confidence screening, it accurately identifies various sensitive behaviors and their corresponding intents, effectively avoiding misjudgments and omissions. This end-to-end optimization from data integration to intent recognition significantly improves the comprehensiveness and accuracy of sensitive network behavior identification, laying a solid foundation for subsequent source tracing work and helping users quickly grasp core information on network security risks.
[0015] Second, this invention achieves accurate tracing and clear presentation of sensitive network behaviors through an intent trigger point causal contribution algorithm and a complete tracing chain construction process. By quantifying the causal contribution of nodes, it accurately locates intent trigger points and filters key nodes by combining behavior sequence and association type, forming a logically rigorous, complete and coherent tracing chain. At the same time, with the help of the visualization function of tracing results output, it transforms complex semantic graphs, causal relationships and intent analysis conclusions into intuitive and easy-to-understand standardized reports, supporting interactive operation and report export. This tracing mode, which combines accuracy and practicality, can not only clearly restore the occurrence and development process of sensitive behaviors and provide strong evidence for the handling of network security incidents, but also lower the understanding threshold of tracing results, improve the convenience of network security management, and provide comprehensive support for the security of the network environment.
[0016] Other advantages, objectives and features of the invention will be set forth in part in the description which follows, and in part will be apparent to those skilled in the art from the following examination or study, or may be learned from the practice of the invention. Attached Figure Description
[0017] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are merely some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without any creative effort.
[0018] Figure 1 A flowchart illustrating a method for tracking and tracing sensitive network behaviors; Figure 2 This is a schematic diagram of data transmission for a method of tracking and tracing sensitive network behaviors. Figure 3 A schematic diagram illustrating data transmission for classifying sensitive behavioral intentions. Detailed Implementation
[0019] To further illustrate the technical means and effects of the present invention in achieving its intended purpose, the following detailed description of the specific implementation methods, structures, features, and effects of the present invention, in conjunction with the accompanying drawings and preferred embodiments, is provided below.
[0020] Example 1: Example of tracing the source of abuse of internal network privileges within an enterprise.
[0021] Large manufacturing enterprises have internal networks that connect production management servers, employee office terminals, workshop IoT devices, and various business application systems. Some employees have unauthorized access to core production data. The method of this invention is needed to track and trace the abuse of permissions to ensure the security of production data.
[0022] This process collects multi-source heterogeneous data from the enterprise's internal network environment, including operation log text from production management servers, network traffic characteristics from network switches, user operation records from employee office terminals, API call sequences from business application systems, terminal device operating status data, network session connection information, and file transfer logs. The collected structured, semi-structured, and unstructured data are standardized and packaged to ensure uniformity and compatibility with subsequent analysis processes across different sources and formats. Data validation is performed to remove incorrectly formatted or invalid data entries, reducing interference in subsequent analysis. Duplicate records are removed through deduplication to avoid data redundancy and consuming storage resources. Sensitive fields involving employee privacy are anonymized to ensure compliant and legal data processing. Finally, the processed and complete data is stored in a distributed database, providing high-quality and reliable data support for subsequent semantic analysis, graph construction, and other stages.
[0023] The preprocessed multi-source heterogeneous data is input into a large language model based on the Transformer architecture. This model uses an input layer encoding module to achieve a unified format encoding for different types of data, solving the problem of multi-source data input adaptation. The semantic parsing module uses a multi-layer Transformer encoder to perform contextual semantic association analysis, accurately completing behavioral entity recognition, behavioral relationship extraction, and preliminary semantic intent determination, uncovering hidden behavioral associations behind the data. The feature extraction module uses an attention mechanism to select and enhance key features of the parsed semantic information, outputting fixed-dimensional semantic feature vectors to improve the targeting of feature expression. The cross-modal adaptation module performs semantic alignment processing for modal differences in multi-source data, eliminating the understanding barriers between different modalities. Subsequently, a cross-modal semantic fusion weight algorithm is used to calculate the association weights between each node, with the formula: ;in, For nodes in cross-modal behavior semantic graph With nodes The association weight; Encoding nodes for large language models and semantic similarity; For nodes and The normalized value of the co-occurrence frequency of the corresponding behavior; This is the time decay factor; The attenuation coefficient is... They are nodes The time when the corresponding behavior occurred; These are the modal fit coefficients; The weighting coefficients are used to define and divide nodes into four categories: network layer, device layer, behavior layer, and data layer, based on the semantic parsing results and extracted feature information. Network layer nodes correspond to network addresses, ports, and network protocols; device layer nodes correspond to terminal devices, servers, and IoT devices; behavior layer nodes correspond to operational behaviors, access behaviors, and data transmission behaviors; and data layer nodes correspond to log data, configuration data, audit data, image data, and video data. Each node is associated with a semantic feature vector, behavioral attributes, timestamp, and modality type attribute information. Image nodes are additionally associated with visual feature vectors containing texture, contour, and operation area features, while video nodes are additionally associated with frame sequence feature vectors, frame extraction results, and timeline information. Based on the calculated association weights, association edges are established between nodes within each layer and between nodes across layers. Intra-layer association edges include intra-modal and cross-modal associations between images, videos, images and text, and videos and text. Cross-modal association edges include subordinate associations between video data nodes and terminal device nodes, causal associations between cloud desktop screenshot nodes and user action nodes, and interactive associations between video frame feature nodes and network traffic nodes. All association edges are labeled with corresponding weight values and association types. Finally, consistency checks are performed on the nodes and association edges at each layer to verify the rationality of associations between visual and non-visual modal nodes, eliminating invalid, false, and redundant associations to form a complete and accurate cross-modal behavioral semantic graph, providing a structured behavioral association carrier for subsequent intent classification.
[0024] BERT-base was selected as the basic pre-trained model. Preprocessed internal enterprise behavior records, semantic graph behavior layer node information, and publicly available cybersecurity behavior datasets were used as training data sources. The dataset was divided into training, validation, and test sets proportionally to ensure comprehensive training and objective evaluation. During training, the contextual semantic features of behavior nodes, the weights of associated nodes, and behavior attribute information were concatenated as model input to enrich the model's input dimensions. A specified optimizer and cross-entropy loss function were used to optimize model parameters, while an early stopping strategy was introduced to avoid overfitting and ensure good generalization ability. After training, accuracy, recall, and F1 score were used as evaluation metrics to validate model performance, ensuring the model met preset performance standards and making intent prediction results more reliable. Ultimately, a pre-trained intent classification model with stable and sensitive behavioral intent prediction capabilities was obtained. Semantic features, behavioral attributes, and associated node information corresponding to each behavioral node in the semantic graph are extracted and input into a pre-trained intent classification model. The model determines the intent type of each behavioral node and outputs the corresponding confidence score. The determined intent types cover sensitive intents such as illegal access, data theft, and abuse of permissions, as well as normal operation intents. A preset confidence threshold is set, and the confidence scores of each behavioral node output by the model are compared with this threshold. Sensitive behavioral nodes with a confidence score that meets the threshold and whose intent type is abuse of permissions are selected, accurately pinpointing the source target. Information verification is performed on the selected sensitive behavioral nodes to confirm that the semantic features, behavioral attributes, and intent types of the nodes match correctly, avoiding misjudgments. Subsequently, sensitive behavioral nodes are associated with abuse of permissions, recording the graph location, associated node identifier, and behavior occurrence timestamp of each sensitive behavioral node. Finally, a structured sensitive behavior-intent association set is formed, providing a clear analytical object for causal chain reasoning, such as... Figure 3 As shown.
[0025] The sensitive behavior-intent association set is input into the behavior causal chain inference engine. The causal contribution of each node is quantified by the intent trigger point causal contribution algorithm. The formula is as follows: in, Represents a node Causal contribution to the triggering of sensitive intentions; These are, respectively, the intent relevance weight, the time sequence weight, and the association propagation weight; For nodes Semantic relevance to target-sensitive intent I; For nodes Temporal weights; For nodes The set of directly adjacent nodes in a semantic graph For nodes With neighboring nodes Association weights, For adjacent node pairs Causal contribution transit terms, Representative node For the causal contribution of sensitive intent triggers, this algorithm comprehensively considers the semantic relevance of nodes to the intent of permission abuse, the temporal weight of node behavior, and the causal contribution transmission effect of adjacent nodes, making the calculation of causal contribution more comprehensive and accurate. The causal contribution of all nodes is calculated iteratively. Calculation stops when the iteration error meets a preset requirement, and the node with the largest causal contribution is determined as the intent trigger point. If multiple nodes have small differences in causal contribution, the node with the earliest behavior is determined as the intent trigger point, based on the temporal sequence of node behavior, ensuring accurate trigger point location. Using the located intent trigger point as the core, the algorithm extracts the corresponding graph hierarchy information, associated nodes, and behavior timestamp, identifying nodes at each level directly related to the trigger point, clarifying the core of the source and the scope of association. Causal contribution screening criteria are set, selecting nodes with causal contribution meeting the criteria and behavior timestamps earlier than the trigger point as pre-inducing nodes, and nodes with causal contribution meeting the criteria and behavior timestamps later than the trigger point as subsequent influencing nodes, clearly defining different stages of behavior evolution. The preceding inducing nodes, intent triggering points, and subsequent impact nodes are linked together in the order of the behavior's timestamp. Each linked node is labeled with its corresponding intent type, causal contribution, and association type, enriching the chain information. The integrity of the linked chain structure is verified, missing key node association information is supplemented, and redundant nodes without actual association are eliminated. Finally, a complete traceability chain containing node hierarchy, node identification, behavior sequence, and causal relationship is formed, fully restoring the occurrence and development path of the abuse of permissions.
[0026] By integrating cross-modal semantic graphs, sensitive behavior intent classification results, complete tracing chains, and intent trigger points, a standardized tracing report is generated, containing details of privilege abuse behavior, intent analysis conclusions, and a tracing evidence chain, making the tracing results more systematic and persuasive. Visualization tools present the tracing results in an intuitive graphical form, clearly showing the trigger source, propagation path, and scope of impact of privilege abuse behavior, reducing the understanding cost for staff. Interactive operations are supported, such as node querying, chain expansion, and detailed viewing, facilitating quick location of key information. Report export functionality is also provided, offering strong evidence for enterprise security operations personnel to handle privilege abuse incidents, adjust access control strategies, and strengthen internal network security protection, improving security handling efficiency and protection accuracy. Figure 1 As shown.
[0027] This embodiment addresses the need for tracing the source of network privilege abuse within enterprises. It comprehensively integrates various heterogeneous data through multi-source data collection and preprocessing, ensuring data quality and compliance through standardization, verification, deduplication, and anonymization, laying the foundation for subsequent analysis. Cross-modal semantic graph construction utilizes a hierarchical large language model to achieve data semantic parsing and feature extraction, combined with a cross-modal semantic fusion weighting algorithm to construct a precise behavioral association graph. Sensitive behavioral intent classification uses a trained, benchmark-compliant model to screen high-confidence privilege abuse nodes, clearly defining the tracing target. Causal chain reasoning tracing uses an intent trigger point causal contribution algorithm to locate trigger points and connect them to form a complete tracing chain. Finally, through visualization and report export, it provides strong support for enterprises to handle privilege abuse incidents and optimize privilege management strategies, effectively ensuring the security of core enterprise production data.
[0028] Example 2: Example of tracing the source of malicious code execution behavior in a smart park IoT system.
[0029] The smart park has deployed a large number of IoT devices, including security monitoring equipment, environmental monitoring terminals, and intelligent access control systems. These devices are connected to the core server and management platform through the park network. Recently, the park network detected abnormal data transmission, which is suspected to be malicious code execution. It is necessary to use the method of this invention to trace the source and prevent the spread of security risks.
[0030] This process involves collecting multi-source heterogeneous data from the smart park's IoT system, including network traffic characteristics from core servers, operation logs from security monitoring equipment, operation records from environmental monitoring terminals, API call sequences from smart access control systems, network session connection information, terminal device operating status data, and platform audit data. Different data types, such as text, numerical, and log data, as well as structured, semi-structured, and unstructured data, are standardized and packaged to ensure consistent data formats for subsequent processing, breaking down data format barriers. Data validation is conducted to identify and remove abnormal and invalid data, ensuring data quality. Deduplication is performed to remove duplicate data, reducing redundancy and improving subsequent processing efficiency. Fields involving sensitive park information are anonymized to ensure data security and compliance, preventing information leakage. After processing, the data is stored in a distributed database to ensure efficient data retrieval and subsequent analysis, laying a solid data foundation for the entire traceability process.
[0031] The preprocessed data is input into a hierarchical large language model based on the Transformer architecture. The input layer encoding module of this model encodes the preprocessed multi-source heterogeneous data in a unified format, enabling smooth input of different data types. The semantic parsing module performs contextual semantic association analysis through a multi-layer Transformer encoder, accurately completing behavioral entity recognition, behavioral relationship extraction, and preliminary semantic intent determination, uncovering potential associations between IoT device behaviors. The feature extraction module uses an attention mechanism to filter and enhance key features of the parsed semantic information, outputting fixed-dimensional semantic feature vectors that highlight core behavioral features. The cross-modal adaptation module performs semantic alignment processing for modal differences in multi-source data, solving the problem of inconsistent understanding of multimodal IoT data. A cross-modal semantic fusion weighting algorithm is used to calculate the association weights between nodes. Based on the semantic parsing results and extracted feature information, four types of nodes are defined and divided: network layer, device layer, behavior layer, and data layer. Network layer nodes correspond to network addresses, ports, and network protocols; device layer nodes correspond to terminal devices, servers, and IoT devices; behavior layer nodes correspond to operational behaviors, access behaviors, and data transmission behaviors; and data layer nodes correspond to log data, configuration data, audit data, image data, and video data. Each node is associated with semantic feature vectors, behavioral attributes, timestamps, and modality type attributes. Image nodes are additionally associated with visual feature vectors containing texture, contour, and operation area features, while video nodes are additionally associated with frame sequence feature vectors, frame extraction results, and timeline information. Based on the calculated association weights, association edges between nodes within each layer and cross-layer association edges between nodes are established. Intra-layer association edges include intra-modal and cross-modal associations between images, videos, text, and videos. Cross-layer association edges include subordinate associations between video data nodes and terminal device nodes, causal associations between cloud desktop screenshot nodes and user action nodes, and interactive associations between video frame feature nodes and network traffic nodes. All association edges are labeled with corresponding weight values and association types. Subsequently, consistency checks are performed on nodes and association edges at each layer, verifying the rationality of associations between visual and non-visual modal nodes, eliminating invalid, false, and redundant associations, and constructing a cross-modal behavioral semantic graph that accurately reflects the behavioral associations of the park's IoT system, providing structured support for sensitive behavior recognition.
[0032] Based on the BERT-base pre-trained model, a training data source is constructed by combining pre-processed behavioral data from smart parks, semantic graph behavioral layer node information, and publicly available cybersecurity behavioral datasets. The training, validation, and test sets are proportionally split to ensure sufficient training and fair evaluation. During training, the contextual semantic features of behavioral nodes, the weights of associated nodes, and behavioral attribute information are concatenated as model input to enrich the information dimensions of model learning. A specified optimizer is used, with the cross-entropy loss function as the optimization objective, to iteratively update model parameters. An early stopping strategy is introduced to prevent overfitting and ensure stable predictive performance. After training, model performance is validated using metrics such as accuracy, recall, and F1 score to ensure the model meets preset standards, resulting in a more accurate intent recognition pre-trained model for intent classification. Semantic features, behavioral attributes, and associated node information of each behavioral node in the semantic graph are extracted and input into the trained intent classification pre-trained model to predict the intent type of each behavioral node and output the corresponding confidence score. Based on a pre-set confidence threshold, sensitive behavioral nodes that meet the confidence level and whose intent type is malicious code execution are selected to accurately identify risky behaviors. These nodes are then verified to confirm that their semantic features and behavioral attributes match the malicious code execution intent, thus avoiding misjudgment. Subsequently, the sensitive behavioral nodes are associated with the malicious code execution intent, and the node's graph location, associated node identifier, and behavior occurrence timestamp are recorded to form a structured sensitive behavior-intent association set, which clarifies the target for subsequent causal chain reasoning.
[0033] The sensitive behavior-intent association set is input into the behavior causal chain inference engine. An intent trigger point causal contribution algorithm is used to quantify the causal contribution of each node to triggering the malicious code execution intent. This algorithm integrates the semantic relevance of nodes to the malicious code execution intent, the temporal weight of node behavior, and the causal contribution propagation effect of adjacent nodes, making the causal contribution calculation more comprehensive and scientific. The causal contribution of all nodes is obtained through iterative calculation. Calculation stops when the iteration error meets the requirements, and the node with the largest causal contribution is determined as the intent trigger point. If multiple nodes have similar causal contribution, the intent trigger point is determined by combining the temporal sequence of node behavior, ensuring accurate source localization. Using the intent trigger point as the core, its corresponding graph hierarchy information, associated nodes, and behavior occurrence timestamps are extracted. Nodes at each layer directly related to the trigger point are identified, clarifying the scope of tracing. Based on preset causal contribution screening criteria, pre-inducing nodes with causal contribution meeting the criteria and behavior occurring earlier than the trigger point, and subsequent influencing nodes with causal contribution meeting the criteria and behavior occurring later than the trigger point are selected, clearly reconstructing the behavior evolution. The preceding inducing nodes, intent triggering points, and subsequent impact nodes are linked together in chronological order of the behavior's occurrence timestamp. Each linked node is labeled with its corresponding intent type, causal contribution, and association type, making the chain information more detailed. The integrity of the linked chain structure is verified, missing key node association information is supplemented, and redundant nodes with no actual connection are eliminated. Finally, a logically rigorous and informationally complete malicious code execution behavior tracing chain is constructed, fully presenting the propagation path of malicious code execution behavior.
[0034] By integrating cross-modal semantic graphs, intent classification results, complete attribution chains, and intent trigger points, a standardized attribution report is generated, containing details of malicious code execution behavior, intent analysis conclusions, and an attribution evidence chain, making the attribution results more authoritative and practical. Visualization tools present the attribution results in an intuitive and easy-to-understand format, clearly showing the initiating device, propagation path, triggering source, and subsequent impact of malicious code execution behavior, reducing the difficulty of interpretation for park security management personnel. Interactive operations are supported for park security management personnel, facilitating quick access to key information and improving attribution efficiency. Report export functionality is also provided, offering reliable support for park security management departments to handle malicious code execution incidents, strengthen IoT device security, and optimize park network security protection strategies, effectively preventing the spread of security risks. Figure 2 As shown.
[0035] This embodiment focuses on tracing the malicious code execution behavior of IoT systems in smart parks. Multi-source data collection and preprocessing covers data from various IoT devices and systems within the park, ensuring data adaptability, security, and reliability through a series of processing steps. A cross-modal semantic graph is constructed to adapt to the characteristics of multimodal IoT data, using a large language model and specialized algorithms to build a graph that accurately reflects behavioral relationships. Sensitive behavioral intent classification accurately identifies malicious code execution nodes, providing a clear direction for tracing. Causal chain reasoning tracing uses professional algorithms to locate trigger points and completely reconstruct the malicious code propagation path. Visual presentation and standardized reports make the tracing results intuitive and easy to understand, supporting park security management departments in quickly handling incidents, strengthening equipment security, optimizing protection strategies, effectively preventing the spread of IoT system security risks, and ensuring the stable operation of the smart park network.
[0036] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any way. Although the present invention has been disclosed above with reference to preferred embodiments, it is not intended to limit the present invention. Any person skilled in the art can make some modifications or alterations to the above-disclosed technical content to create equivalent embodiments without departing from the scope of the present invention. Any simple modifications, equivalent changes and alterations made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the scope of the present invention.
Claims
1. A method for tracking and tracing the source of sensitive network behaviors, characterized in that, The specific steps of this method are as follows: S1, Multi-source data acquisition and preprocessing: Collect multi-source heterogeneous data in the network environment, and store the collected data in a distributed database after standardization, encapsulation, verification, deduplication and desensitization. S2, Cross-modal semantic graph construction: The preprocessed multi-source heterogeneous data is input into a large language model for semantic parsing and feature extraction. The node association weights are calculated through a cross-modal semantic fusion weight algorithm to construct a cross-modal behavioral semantic graph. S3, Sensitive Behavior Intent Classification: Train the intent classification pre-trained model, predict the intent type of behavior nodes in the semantic graph, filter sensitive behavior nodes with confidence scores higher than a preset threshold, and form a sensitive behavior-intent association set; S4, Causal Chain Reasoning and Source Tracing: Input the sensitive behavior-intent association set into the behavior causal chain reasoning engine, quantify the causal contribution of nodes and locate the intent trigger point through the intention trigger point causal contribution algorithm, and build a complete source tracing chain; S5, Visualization of Source Tracing Results: Integrates semantic graphs, intent classification results, causal chains, and intent trigger points to generate standardized source tracing reports that include behavioral details, intent analysis conclusions, and source tracing evidence chains. The source tracing results are presented through visualization tools, supporting interactive operations and report export.
2. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S1, the multi-source data acquisition preprocessing involves acquiring multi-source heterogeneous data from the network environment. This multi-source heterogeneous data originates from various devices and systems within the network environment, including network traffic characteristics, operation log text, API call sequences, terminal device operating status data, user operation behavior records, network session connection information, and file transfer logs generated by core servers, network switches, terminal devices, and application systems.
3. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S2, the cross-modal semantic graph construction uses a layered structure based on the Transformer architecture, including an input layer encoding module, a semantic parsing module, a feature extraction module, and a cross-modal adaptation module. The input layer encoding module encodes preprocessed multi-source heterogeneous data in a unified format to achieve input adaptation for different types of data. The semantic parsing module performs contextual semantic association analysis through a multi-layer Transformer encoder to complete behavioral entity recognition, behavioral relationship extraction, and preliminary semantic intent determination. The feature extraction module uses an attention mechanism to filter and enhance key features of the parsed semantic information, outputting a fixed-dimensional semantic feature vector. The cross-modal adaptation module performs semantic alignment processing for modal differences in multi-source data.
4. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S2, the formula for the cross-modal semantic fusion weight algorithm in cross-modal semantic fusion is: ;in, For nodes in cross-modal behavior semantic graph With nodes The association weight; Encoding nodes for large language models and semantic similarity; For nodes and The normalized value of the co-occurrence frequency of the corresponding behavior; This is the time decay factor; The attenuation coefficient is... They are nodes The time when the corresponding behavior occurred; These are the modal fit coefficients; These are the weighting coefficients.
5. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S2, the process of constructing a cross-modal semantic graph is as follows: based on the semantic parsing results and extracted feature information of the preprocessed multi-source heterogeneous data, the definition and division of the graph nodes are first completed, and the node types are clarified to cover network layer nodes, device layer nodes, behavior layer nodes and data layer nodes; network layer nodes correspond to network addresses, ports and network protocols; device layer nodes correspond to terminal devices, servers and IoT devices. Behavioral layer nodes correspond to operational behaviors, access behaviors, and data transmission behaviors; The data layer nodes correspond to log data, configuration data, audit data, image data, and video data. Image data includes screenshots of cloud desktop operations, device monitoring, and user interface operations. Video data includes videos of cloud desktop operations, security monitoring, and terminal device operation status. Each node is associated with semantic feature vectors, behavioral attributes, timestamps, and modality type attributes. Image nodes are additionally associated with visual feature vectors, which include texture, contour, and operation area features. Video nodes are additionally associated with frame sequence feature vectors, frame extraction results, and timeline information. Based on the association weights calculated by the cross-modal semantic fusion weighting algorithm, association edges are established between nodes within each layer. These association edges include intramodal and cross-modal associations between images, videos, text, and text. Simultaneously, cross-layer association edges are constructed between nodes. These cross-layer association edges include subordinate associations between video data nodes and terminal device nodes, causal associations between cloud desktop operation screenshot nodes and user operation behavior nodes, and interactive associations between video frame feature nodes and network traffic nodes. The association edges are labeled with corresponding weight values and association types, including causal associations, subordinate associations, and interactive associations.
6. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S3, the specific process of training the intent classification pre-training model in the sensitive behavior intent classification is as follows: select BERT-base as the basic pre-training model, and use behavior records, semantic graph behavior layer node information and public network security behavior datasets in preprocessed multi-source heterogeneous data as training data sources, and divide the training set, validation set and test set in an 8:1:1 ratio. During training, the 76-dimensional contextual semantic features of the behavior nodes, the weights of associated nodes, and the behavior attribute information are concatenated as model input. The AdamW optimizer is used, with a learning rate of 2e-5 and a batch size of 32. The cross-entropy loss function is used as the optimization objective. An early stopping strategy is introduced during training: training is stopped when the validation set loss does not decrease for 5 consecutive epochs to avoid model overfitting. After training, accuracy, recall, and F1 score are used as evaluation metrics to verify the model performance.
7. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S3, the process of predicting the intent type of behavior nodes in the semantic graph and filtering sensitive behavior nodes with confidence scores higher than a preset threshold in the sensitive behavior intent classification is as follows: First, extract the semantic features, behavior attributes and related node information corresponding to each behavior node in the semantic graph, input them into the trained intent classification pre-trained model, determine the intent type of each behavior node and output the corresponding confidence score. The determined intent types include illegal access, data theft, permission abuse, malicious code execution, illegal data transmission and normal operation. A confidence threshold of 0.85 is set. The confidence of the intent of each behavioral node output by the model is compared with this threshold. Nodes with a confidence of 0.85 or higher and whose intent type belongs to illegal access, data theft, abuse of privileges, malicious code execution, or illegal data transmission are selected as sensitive behavioral nodes. The selected sensitive behavioral nodes are verified to confirm that the semantic features and behavioral attributes of the nodes match the determined sensitive intent type. The sensitive behavioral nodes are then associated and bound with the corresponding intent type. The graph position of each sensitive behavioral node, the identifier of the associated node, and the timestamp of the behavior occurrence are recorded to form a structured sensitive behavior-intent association set.
8. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S4, during causal chain reasoning and tracing, the formula for the intention trigger point causal contribution algorithm is as follows: ,in, Represents a node Causal contribution to the triggering of sensitive intentions; These are, respectively, the intent relevance weight, the time sequence weight, and the association propagation weight; For nodes Semantic relevance to target-sensitive intent I; For nodes Temporal weights; For nodes The set of directly adjacent nodes in a semantic graph For nodes With neighboring nodes The association weight; For adjacent node pairs causal contribution transitive terms; Representative node Causal contribution to the triggering of sensitive intentions.
9. The method for tracking and tracing sensitive network behaviors according to claim 1, characterized in that, In S4, the specific process of constructing a complete tracing chain in causal chain reasoning is as follows: Taking the located intent trigger point as the core, extract the graph-level information related nodes and behavior occurrence timestamps corresponding to the trigger point, and sort out the network layer, device layer, behavior layer, and data layer nodes that are directly related to the trigger point; set the causal contribution screening standard, and select nodes with a causal contribution greater than or equal to 0.3 and behavior occurrence timestamps earlier than the trigger point as pre-inducing nodes, and select nodes with a causal contribution greater than or equal to 0.2 and behavior occurrence timestamps later than the trigger point as subsequent influencing nodes; connect the pre-inducing nodes, intent trigger points, and subsequent influencing nodes in the order of behavior occurrence timestamps, and label each connected node with the corresponding intent type, causal contribution, and association type, including causal association, subordinate association, and interactive association; perform integrity verification on the chain structure formed by the connection, supplement the missing key node association information, and remove redundant nodes without actual association; integrate the verified node connection relationship and each node information to form a complete tracing chain containing node level, node identifier, behavior time sequence, and causal relationship.